FAQ: HIPAA Privacy and Security Regulations


U-M and the University of Michigan Health System (UMHS) are committed to protecting “protected health information” in accordance with all applicable state and federal laws.

Q: Are there laws or U-M or UMHS policies regarding the handling of protected health information?

A: Yes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes rules and regulations regarding access and disclosure to protected health information. Under HIPAA, protected health information, or PHI, is individually identifiable health information. Michigan law also protects patients’ PHI and includes heightened protections for the disclosure of mental health and substance abuse records. Another federal law commonly known as “Part 2” protects substance abuse records in some instances (depending on where and from whom services are delivered).

UMHS and the U-M Benefits Office both issue Notices of Privacy Practices1 that outline how each entity uses and discloses PHI. Both entities have policies that address the use and disclosure of PHI. For more information and a link to policies, visit Protecting Your Privacy (HIPAA) and Protecting Health Information – HIPAA.

Q: What is Protected Health Information (PHI)?

A: According to HIPAA’s Privacy Rule, PHI includes individually identifiable health information that relates to:

  • an individual’s past, present or future physical or mental health or condition;
  • the provision of health care to an individual; or
  • the past, present or future payment for the provision of health care to an individual.
Q: What rights do patients have as it relates to their PHI?

A: HIPAA provides the following patient rights:

  • The right to review a copy of the patient’s own health records.
  • The right to seek and view an amendment to the patient’s own health records.
  • The right to receive a notice that explains how UMHS or U-M may use or share PHI.
  • For certain purposes, such as marketing, the right to provide permission before the patient’s PHI may be used or shared.
  • For some disclosures, the right to receive a report on when and why one’s own PHI was shared.
  • In the event the patient’s rights are being denied, or UMHS or U-M is alleged not to be taking proper steps to adequately protect the patient’s PHI, the right to:
    • file a complaint with the patient’s provider or health insurer; or
    • file a complaint with the Office for Civil Rights.
Q: What happens if PHI is disclosed or accessed in an inappropriate manner?

A: Under HIPAA regulations, if PHI is disclosed or accessed in an inappropriate manner, typically an investigation will take place to determine if a breach has occurred. A breach will result in notification to the affected individual(s).

The UMHS Compliance Office is responsible for receiving complaints alleging violation(s) of HIPAA’s Privacy and Security Rules, and for investigating and resolving these allegations. (See UMHS Policy 01-04-317, “Breach of Unsecured Protected Health Information,” and UMHS Policy, 01-04-385, “Receiving and Resolving Privacy Complaints.”)

The UMHS Compliance Office works closely with the Office of the Vice President and General Clounsel in determining if a breach has occurred.

Q: What resources are available to learn more about patient privacy matters?

A: The following resources are available to assist with general privacy inquiries: The Office for Civil Rights (OCR).

OCR is the federal agency that oversees and enforces HIPAA’s Privacy and Security Rules.

The UMHS Compliance Office.

U-M, including UMHS, takes the privacy of its patients seriously. Please contact the Compliance Office at (734) 615-4400 or the Office of the Vice President and General Counsel at (734) 764-2178 if we can provide additional information.

1 Notice of Privacy Practices. See http://www.uofmhealth.org/protecting-your-privacy-hipaa; http://benefits.umich.edu/forms/hipaa_notice.pdf